KR101636638B1 - Anti-malware protection operation with instruction included in an operand - Google Patents

Abstract

A system and method for extending anti-malware protection to a system having multiple storage devices, such as RAID, is disclosed. In an embodiment, a trusted connection may be established between the host and the controller of the plurality of storage devices. Trusted connections can use a variety of information encryption techniques that weaken attempts by malware to preserve the malware infected location on the storage device by retransmitting anti-malware protection related actions by the host. Through encryption and trusted connections between the host and controllers of multiple storage devices, anti-virus and / or anti-malware software (AVS) sends encrypted anti-malware protection related actions to controllers of multiple storage devices, Can be overcome. Other embodiments may be described and claimed.

Description

ANTI-MALWARE PROTECTION OPERATION WITH INSTRUCTION INCLUDED IN AN OPERAND}

This disclosure generally relates to the technical field of data processing. In particular, this disclosure relates to extending anti-malware protection to systems with multiple storage devices, particularly redundant array independent disk (RAID) systems.

Malware (or malicious code) is a generic term used to refer to various types of software that can cause problems or damage a computer. The term malware can include viruses, worms, Trojan horses, macro viruses, rootkit malware, and backdoors. Over time, malware has evolved to become more and more secretive and to target attacking goals.

In some cases, malware has become more secretive by infecting kernel modules (for example, rootkits) and hiding them into the core operating system. Those running as rootkits, especially administrators or high-level privileges (for example, ring 0 privileges in the case of Intel architecture processors), require either a traditional anti-virus solution or an anti-malware solution , AVS). ≪ / RTI > For example, a rootkit with administrator privileges and other malware hidden in it can block queries from AVS and save incorrect information to AVS to preserve the way to the storage device.

Embodiments of the invention are illustrated by way of example and not by way of limitation, in the figures of the accompanying drawings in which like reference numerals refer to like elements.
1 is a block diagram of a computing device suitable for use to implement various embodiments of the present disclosure.
Figure 2 is a flow chart illustrating operation for various embodiments of the method of the present disclosure.
3 is a block diagram of a computing arrangement suitable for use in implementing various embodiments of the present disclosure.
Figure 4 is a swim lane diagram illustrating a trust reading process in accordance with various embodiments of the present disclosure.
5 is a swim lane diagram illustrating a trust reading process in accordance with various embodiments of the present disclosure.
6 is a swim lane diagram illustrating retention of a trust channel process in accordance with various embodiments of the present disclosure.

Embodiments of the present disclosure may relate to extending anti-malware protection to systems with multiple storage devices. In an embodiment, a trusted connection may be established between the host and multiple storage devices. Trusted connections can use a variety of information encryption techniques that weaken attempts by malware to preserve the malware infection location on the storage device by retransmitting anti-malware protection related actions by the host. Through encryption and trusted connections between the host and the controllers of multiple storage devices, the anti-virus and / or anti-malware software (AVS) sends the encrypted anti-malware protection related actions to the controllers of the multiple storage devices, Detection and / or conversion can be overcome.

According to one embodiment, the controller may receive a first instruction from the host device having a first address and an operand. The first instruction may be associated with a nominal antimalware protection related operation, and the first address may refer to a first one or more storage locations of the plurality of storage devices. In addition, the controller may recover from the operand a second instruction to be operated in a second one or more storage locations of the plurality of storage devices. The controller may then execute a second instruction to operate at a second one or more storage locations to effect anti-malware protection related operations.

Various aspects of the exemplary embodiments will be described using terms commonly used by those skilled in the art to convey the nature of the operation to others skilled in the art. However, it will be apparent to those skilled in the art that some alternative embodiments may be practiced using some of the described aspects. For purposes of explanation, specific numbers, materials, and configurations are set forth in order to provide a thorough understanding of the exemplary embodiments. However, it will be apparent to those skilled in the art that alternative embodiments may be practiced without the specific details. In other instances, well-known features may be omitted or simplified in order not to obscure the exemplary embodiment.

In addition, while the various operations are, in turn, described as a number of separate operations in a manner that is most helpful in understanding the exemplary embodiment, the order of description should not be construed as implying that such operations are necessarily order dependent. In particular, such operations need not be performed in the order of presentation.

The phrase "in one embodiment" is used repeatedly. The phrase "generally" does not refer to the same embodiment, but may be mentioned. The terms "comprising," "having," and "including" are synonymous unless the context indicates otherwise. The phrase "A / B" means "A or B". The phrase "A and / or B" means "(A), (B), or (A and B) ". At least one of the phrases "A, B, and C" means "A, B, C, A and B, A and C, B and C, " The phrase "(A) B" means "(B) or (A B) ", that is, A is optional.

FIG. 1 illustrates a computing device 100 suitable for practicing the embodiments of the present disclosure. As will be described in greater detail below, the computing device 100 may be configured to be resilient to a multiway that may infect one or more storage devices of the computing device 100. As shown, the computing device 100 may include a central processing unit (CPU) 102, a system memory 104, a chipset 106, and a multiple device controller 108 coupled together. The multiple device controller 108 may in turn be coupled to one or more storage devices 110a, 110b (collectively, 110).

The host CPU 102 may be one or more of a variety of single-core or multi-core microprocessors configured to fetch and execute a plurality of instructions. Host CPU 102 may execute instructions of an operating system configured to facilitate operation and interconnection of various components of computing device 100, for example. Host CPU 102 may also execute instructions of an application launched by the operating system. According to one embodiment, the host CPU 102 is a multicore processor, such as the Intel® Core i3, Intel® Core i5 and Intel® Core i7 microprocessors available from Intel® Corporation of Santa Clara, Calif.

The system memory 104 may be communicatively coupled to the host CPU 102. The system memory 104 may be configured to receive and store the instructions executed by the host CPU 102 and the data associated with the instructions being executed. The system memory 104 may include non-volatile and / or volatile memory. In an embodiment, the system memory 104 may include one or more of a dynamic random access memory (DRAM), a synchronous dynamic random access memory (SDRAM), a read only memory (ROM), a flash memory,

The chipset 106 may combine signals between the system memory 104, the various input / output units, and the host CPU 102. In an embodiment, the chipset 106 may include a memory controller. In another embodiment, the chipset 106 may include a complementary interface to a direct media interface (DMI) that is integrated with the host CPU 102.

The chipset 106 may transmit signals to and receive signals from the multi-device controller 108 via the communications link 112. The communication link 112 may be any of a variety of communication interfaces. For example, communication link 112 may include but is not limited to Serial Advance Technology Attachment (SATA), Integrated Development Environment (IDE), peripheral component interconnect (PCI), Small Computer System Interface (SCS), HyperTransport A control bus, an address bus, and a data bus. Alternatively, the communication link 112 may be a point-to-point network connection, such as Ethernet, or a wireless connection, such as following one of the Institute of Electrical and Electronic Engineers (IEEE) 802.11 standards.

With continuing reference to FIG. 1, the multiple device controller 108 may be configured to communicate with the host CPU 102 over the communication link 112 to receive and respond to instructions regarding the storage device 110. In an embodiment, the multiple device controller 108 may be a card that is integrated into the computing device 100 via a connector that supports the communication link 112. According to one embodiment, the multiple device controller 108 may be integrated into the chipset 106. According to another embodiment, the multi-device controller 108 may be a stand-alone device implemented by a modular networking rack or cabinet and communicates with the chipset 106 via a network connection.

In an embodiment, the multi-device controller 108 is configured to communicate (by the chipset 106) with the host CPU 102 over a trusted connection to perform anti-malware related operations. In an embodiment, the multiple device controller 108 includes a bus 114, an interface controller 116, a buffer 118, a parity generator 120, a random access memory (RAM) 122, Microcontroller 124, controller firmware 126, and one or more storage controllers 128a, 128b (collectively 128).

The bus 114 may be configured to provide a low resistance connection between several components of the multiple device controller 108. The interface controller 116 is configured to communicatively couple the bus 114 to the communication link 112 to convert the protocol used for the communication link 112 to a protocol compatible with the components of the multi- . The buffer 118 may be coupled to the bus 114 and configured to provide temporary storage to the microcontroller 124. Parity generator 120 may be coupled to bus 114 and may be configured to support encrypted communication by microcontroller 124 by generating parity data for data processed by microcontroller 124. [ In an embodiment, parity data may also be stored on one or more storage devices 110. In an embodiment, the parity generator 120 may be configured to generate dedicated or distributed parity according to various embodiments of the present disclosure. The RAM 122 may be coupled to the bus 114 and may support the microcontroller 124 by storing and providing instructions and their operands and may be operable to transmit data to and receive data from the host CPU 102 And to facilitate storing data in one or more storage devices 110 and retrieving data therefrom. RAM 122 may be one of an SRAM, a DRAM, an SDRAM, or any of a variety of types of random access memory, according to some embodiments of the present disclosure.

The microcontroller 124 may be communicatively coupled to the bus 114 to receive the instruction and its operands from the host CPU 102 and to transmit the instruction and its operands to the one or more storage controllers 128 . The microcontroller 124 may be configured to execute instructions and may include one or more of an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), and the like. The microcontroller 124 is configured to send the instruction (and its operands, if applicable) to the one or more storage controllers 128 to write data to or read data from the one or more storage devices 110 . Microcontroller 124 may be configured to read data from and write data to one or more storage devices 110 in response to instructions received from host CPU 102. [

Malware that infects a computer system may change instructions sent from the host CPU to the storage controller. When malware infects a computer system, the malware often renders the malware code and / or data to a nonvolatile memory or permanent storage location of the computer system so that the malware resumes operation upon power up of the computer system after a reset or power down of the computer system Lt; / RTI > As discussed previously, some malware may infect a higher privileged portion of the operating system, such as the kernel. Then, malware will affect privileged access to the operating system to resend attempts by AVS or other programs to read or write to non-volatile memory or locations in persistent storage that store malware code and / or data . For example, an AVS running by a computer system may attempt to scan non-volatile memory or persistent storage to retrieve a pattern representing the way by reading the location of each of the memory or storage devices. Deeply rooted malware can block attempts by the AVS to read or write to the location of a particular memory by changing the address of a read or write command sent to the controller of the nonvolatile memory or permanent storage. Thus, it may be difficult to remove malware using high privileged access without a trusted connection to the controller of non-volatile memory or persistent storage.

The microcontroller 124 executes the instructions of the controller firmware 126 to establish and maintain a trusted connection between the multiple device controller 108 and the host CPU 102, . The controller firmware 126 may be configured to cause the microcontroller 125 to perform the encryption function. Specifically, controller firmware 126 may include instructions that, when executed by microcontroller 124, enable multi-device controller 108 to establish an out-of-band connection with an AVS executed by host CPU 102 have. For example, the controller firmware 126 may be configured so that the microcontroller 124 responds to a trusted connection protocol initiated by the AVS. In an embodiment, the controller firmware 126 may cause the microcontroller 124 to request a signing certificate from the AVS in response to receiving a request by the AVS to establish a trusted connection, to authorize the AVS to establish a trusted connection . Controller firmware 126 may include a decryption code such as a public key for the certificate of the AVS to decrypt the message received from the AVS. Additionally, the controller firmware 126 may include a controller certificate with a secret key, so that the AVS and the multiple device controller 108 use a dual level of encryption. This communication between the AVS and the multi-device controller 108 is generated concurrently in parallel to read / write commands issued to the multi-device controller 108 by another program, such as an operating system executed by the host CPU 102 . Thus, the trust and authentication connection can be established out-of-band between the programs executed by the multi-device controller 108 and the host CPU 102.

The controller firmware 126 may be configured to support additional cryptographic communication between the multiple device controller 108 and a program executed by the host CPU 102. [ According to one embodiment, the AVS may issue a read / write command to the multi-device controller 108 using the dummy address and the AVS may encrypt the actual read / write address with the payload or operand of the command. According to one embodiment, in addition to using the public key of the certificate of the multi-device controller 108, the AVS may encrypt the actual read / write address with the operand by encrypting the operand with the secret key of the certificate of the AVS. Often, malware can attempt to retransmit commands that are sent to memory / storage locations occupied by malware. However, since the location address associated with this command is a dummy address, there is a possibility that the malware will ignore such a command, since the command does not appear to be retransmitted to the memory location occupied by the malware. The malware will not be able to resend such an instruction with an address encrypted with the operand of the instruction for at least two reasons. First, malware will not be able to retransmit commands because the actual address at which the command is sent is done with the payload or operand of the command. Secondly, the malware will not be able to retransmit the command because the decryption code, public key, secret key, and / or similar techniques used to decrypt the encrypted operand are stored in the controller firmware 126 in the embodiment. Thus, a retry attempt by malware will be detectable and reportable when the multi-device controller 108 attempts to authenticate an instruction received from the AVS. Although an encryption technique associated with a public key infrastructure is described herein, controller firmware 126 in an alternate embodiment may be implemented by the host CPU 102 by way of the multi-device controller 108 using other encryption techniques known to those skilled in the art To communicate with a program that is being executed.

Controller firmware 126 may be configured to perform the encryption function described above by utilizing firmware support 130. [ In an embodiment, the firmware support 130 may include several logical blocks that support the encryption function described above. The firmware support 130 may include an instruction processor 132, a read / write address generator 134, a parity generator 136, and an encryption and message authentication code (MAC) The firmware support 130 may be stored in an updatable non-volatile memory such as flash according to one embodiment of the present disclosure. The encryption and MAC support 138 allows the microcontroller 124 to encrypt and decrypt the message, verify the authorization of the program to be executed by the host CPU 102, such as the AVS, maintains one or more trusted connections with the program Read / write address generator 134, and parity generator 136 to make the data to be written to the processor.

One or more storage controllers 128 may be coupled to bus 114 and one or more storage devices 110.

One or more storage devices 110 may be communicatively coupled to the multiple device controller 108 via a corresponding communication link 140a, 140b (collectively 140). The one or more storage devices 110 may be one or more hard disk drives (HDDs), solid-state drives (SSDs), or other non-volatile memory. The one or more storage devices 110 may include an array of independent disks communicatively coupled to be read or written by the multiple device controller 108. The communication link 140 may collectively form a small computer system interface (SCSI), an integrated drive electronics (IDE) interface, or other similar storage interface according to various embodiments of the present disclosure.

In an embodiment, the one or more storage devices 110 may be configured to store and retrieve data in a striped fashion in response to operations by the multiple device controller 108 in accordance with an embodiment. For example, data may be stored on one or more storage devices 110 in a striped fashion without parity, mirroring, or redundancy. As another example, data may be stored on one or more storage devices 110 in striped fashion using byte-level striping and dedicated parity. As another example, data may be stored on one or more storage devices 110 using one of bit-level, byte-level, and block-level striping and using either dedicated parity or distributed parity. As a result, the one or more storage devices 110 may be configured to be operated by multiple device controllers 108 in any one or more of the standard RAID levels, e.g., RAID levels 0-6 in a redundant array of inexpensive disks (RAID) .

The AVS may rely on the previously described trusted connection between the AVS and the multi-device controller 108 to detect the presence of malware. For example, if the AVS can not establish a trusted connection with the multi-device controller 108, or if the read / write command is rejected or causes inaccurate data. In an embodiment, the AVS may provide an indication to the display to notify the user that malware may reside in one or more of the storage devices 110. Additionally or alternatively, the AVS may send an electronic notification to one or more users that the malware may reside on one or more storage devices 110, so that corrective action can be taken.

Advantageously, the inclusion of encryption functionality within the multiple device controller 108 allows the host CPU 102 to establish and maintain a trusted connection between multiple device controllers 108 and one or more programs executed by the host CPU 102 do. Trusted connections provide the ability to scan and correct malware (e.g., redundant description) stored in one or more storage devices 110 to an anti-malware program. Trusted connections provide the ability to correct malware in anti-malware programs even when the malware has achieved high privileged access within the computing device 100.

FIG. 2 illustrates a method 200 of operating a controller of a plurality of storage devices, such as multiple device controller 108, in accordance with various embodiments. At block 202, the method 200 may be associated with a nominal antimalware protection related operation (e.g., initiated by an AVS executed by the host CPU 102) by a controller of the plurality of storage devices And receiving a first instruction having a first address. The controller may receive a first instruction from the host CPU 102, which may be coupled to the multiple device controller 108. The first instruction may comprise a first address and an operand. The first address may refer to a first one or more storage locations of the storage device.

As discussed above in connection with FIG. 1, the AVS executed by the host CPU 102 may include one or more encryption keys, for example AVS secret encryption keys, and a multi-device controller (not shown) to encrypt the operands of the first instruction 108 may be used.

At block 204, the method 200 may include restoring the second instruction from the operand, by the multi-device controller 108. The second instruction may be operated in a second one or more storage locations of the plurality of storage devices. The second instruction may be substantially associated with anti-malware protection related operations. In an embodiment, the first and second one or more storage locations may differ depending on at least one storage location.

Allowing the controller to recover the second instruction from the operand of the first instruction may prevent the way to retrieve the target storage location of the anti-malware protection related operation. According to one embodiment, the second instruction may be encrypted to further prevent malware from retrieving anti-malware protection related actions.

At block 206, the method 200 may include executing a second instruction by the multiple device controller 108 to operate at a second one or more storage locations to perform anti-malware protection related operations.

Operating at a second one or more storage locations may include reading a second one or more storage locations to retrieve a pattern representing a multiway that resides in the storage location. Additionally, operating at a second one or more storage locations may include writing new data to a second one or more storage locations to remove malware residing in the storage location.

At block 208, the method 200 includes assembling the data read from the second one or more storage locations by the multi-device controller 108 to form assembled data if the second instruction is a read command , And returning the data assembled by the multi-device controller 108 to the host CPU 102 as readout data of the first instruction.

The method 200 may be wholly or partially implemented by the computing device 100. For example, the computing device 100 may be a computer readable storage medium embodied in instructions configured to enable the multi-device controller 108 to perform any or all of the operations of the method 200 in response to the execution of the instructions. . ≪ / RTI > According to one embodiment, the computer readable medium can be a non-transitory computer readable storage medium. Furthermore, one or more of the techniques or components described in connection with FIG. 1 may be combined with the method 200 or used in the method.

FIG. 3 illustrates a system 300 configured to perform anti-malware related operations in accordance with various embodiments of the present disclosure. The system 300 may include a host device 302 communicatively coupled to one or more storage devices 110, and a back-end server 303.

Host device 302 may include software and hardware to support a trusted connection or an out-of-band second channel to perform anti-malware related operations. The host device 302 may include an operating system 304 communicatively coupled to the multi-device controller 306 via a first channel 308. The multi- The first channel 308 may be any of a number of standard interfaces, such as ATA, PCI, Ethernet, etc., used between the host CPU (as shown in FIG. 1) and the storage controller. The first channel 308 represents a physical connection between the multiple device controller 306 and the hardware executing the operating system 304. The first channel 308 also represents a logical connection between the operating system 304 and the controller firmware 310.

The operating system 304 may be a Windows product developed by Microsoft Corporation in accordance with various embodiments of the present disclosure, a UNIX based environment, or a Macintosh related environment such as OS X. [ The operating system 304 may include a file system 312 and a personal software development kit (SDK) 314. The file system 312 may be a program operable by an operating system 304 that allows the user and the operating system 304 to organize and efficiently retrieve data stored on one or more storage devices 110. The personal SDK 314 may include various tools that enable development of software operable by the operating system 304.

The multiple device controller 306 may be configured to set and maintain a second and trusted communication channel 316 in addition to maintaining the first communication channel 308. [ The multi-device controller 306 may include controller firmware 310, memory 318, and a system-on-chip 320. According to one embodiment, the multiple device controller 306 may be the multiple device controller 108 of FIG.

Controller firmware 310 may include establishing and maintaining a trusted channel as a program and cryptographic functionality to support a computer system external to host device 302. [ The controller firmware 310 includes a plurality of instructions configured to enable the multiple device controller 306 to operate on one or more storage devices 110 in response to an instruction received from the operating system 304 in accordance with the standard operation of the storage controller . The controller firmware 310 may include a plurality of instructions that when enabled by the multiple device controller 306 enable the multiple device controller 306 to establish the trust channel 316. [

Controller firmware 310 may include firmware support 322 and trust application programming interface 324 and controller firmware 310 may include firmware support 322 and trust API 324 may be used. Additionally, the firmware support 322 may include encryption and MAC (message authentication code) support, which may be used by the controller firmware 310 to decrypt and authenticate incoming messages. For example, in response to a query or attempt initiating a trusted channel 316 by the back-end server 303, the controller firmware 310 receives a digital certificate, a digital signature, and / or an encrypted message from the back- To communicate with the back-end server 303 via the trust API 324 and the firmware support 322 to request the request. According to one embodiment, the controller firmware 310 may include a PKI-based certificate with a secret key that decrypts the message intended to be decrypted by the multiple device controller 306. Controller firmware 310 may also be preloaded with a symmetric or public encryption key that is limitedly distributed to enable controller firmware 310 to authenticate backend server 303. [ Through a series of handshake signals, the controller firmware 310 and the back-end server 303 can establish a trust channel 316. [ According to one embodiment, the backend server 303 may authenticate, provision, or initialize the encryption key and code in the controller firmware 310. [

According to one embodiment, the controller firmware 310 may include instructions that when executed by the multiple device controller 306 cause the multiple device controller 306 to execute the operations of the method 200 of FIG.

The memory 318 and the system-on-chip 320 may support the multiple device controller 306 upon receiving and executing instructions related to storing data in one or more storage devices 110 in a striping fashion. For example, the multiple device controller 306 may be configured to write data to one or more storage devices, with or without parity, in one of bit level, byte level, and block level striping schemes.

The host device 302 may include anti-malware and / or antivirus software (AVS) applications 326 that may be executed by the host CPU of the host device 302 to perform anti-malware protection related operations. It may be advantageous for the AVS application 326 to be able to communicate with the multiple device controller 306 via the trusted channel 316. [ The AVS application 326 may use the AVS kit 328 to follow a protocol recognizable by the trust API 324 of the controller firmware 310. [ Similar to the backend server 303, the AVS application 326 encrypts messages that can be decrypted by the multi-device controller 306 using encryption keys and / or code stored in the controller firmware 310, The trusted communication channel 330 may be initiated and configured with the multi-device controller 306. [

The AVS application 326 can identify and remove malware residing in the storage of one or more storage devices 110. [ The AVS application 326 may identify the malware by inserting and encrypting the read command and the target storage location of the storage device 110 into the operand of the read or write command sent to the multiple device controller 306. [ The AVS application 326 compares the read data to a predetermined pattern to compare the data read from the storage location and identifies the malware residing in the storage location. The AVS application 326 may then use an application 332 to notify the user or the electronic system that the malware has been identified on the storage device. The application 332 may be configured to authorize the AVS application 326 to correct or delete the infected storage location, or it may be configured to instruct the AVS application to wait for additional instructions from the user. Thus, the system 300 may be used to perform anti-malware protection related operations on a system having one or more storage devices 110. [

FIG. 4 illustrates a communication sequence 400 that performs a trust reading of a plurality of storage devices in accordance with one embodiment of the present disclosure. At 404, an anti-virus and / or anti-malware (AV / AM) agent 402, such as an AVS program running on the computing device 100 or the host device 302 encrypts the command address with the session key, A list of logical block addresses to be issued may be issued.

At 408, the controller firmware 406 may authenticate the request from the AV / AM agent 402 with the session key located in the controller firmware 406, and the controller firmware 406 may process the command.

At 410, the controller firmware 406 may issue a read request to a plurality of storage devices 412 for operation on the Mori block address requested by the AV / AM agent 402.

At 414, the storage device 412 may return the data stored in the requested logical block address to the controller firmware 406.

At 416, the controller firmware 406 may assemble read data and compute a message authentication code (MAC). In an embodiment, the MAC may be computed by performing a hash function on the read data.

At 418, the controller firmware 406 may respond with trusted read data that has been encrypted with the session key.

AM agent 402 compares the authenticity of the trusted read data by computing the MAC of the decrypted data and comparing the MAC of the AV / AM agent 402 to the MAC of the controller firmware 406, for example. Can be verified.

At 422, the AV / AM agent 402 may notify the AV / AM backend 424 if the message authentication fails. The AV / AM backend 424 may then provide a notification to one or more users that the malware could prevent a trusted read.

FIG. 5 illustrates a communication sequence 500 that executes a trust record in accordance with one embodiment of the present disclosure at a logical block address of a plurality of storage devices 412. At 502, the AV / AM agent 402 may issue a trust write command, data to be written, and a list of logical block addresses to be operated or written by encrypting the command address with the session key.

At 504, the controller firmware 406 may authenticate the request from the AV / AM agent 402 with the session key located in the controller firmware 406, and the controller firmware 406 may process the command.

At 506, the controller firmware 406 may issue a write request at a logical block address requested by the AV / AM agent 402 to a plurality of storage devices 412 of issued data.

At 508, the controller firmware 406 may issue a read request to the storage device 412 to confirm that the data has been successfully written.

At 510, the storage device 412 may return the data stored in the logical block address to the controller firmware 406.

At 512, the controller firmware 406 can assemble the read data and compute the MAC of the data.

At 514, the controller firmware 406 may respond to the AV / AM agent 402 with the recorded data confirmation that was encrypted with the session key.

At 516, the AV / AM agent 402 may verify the authenticity of the trustworthy record data.

At 518, the AV / AM agent 402 may notify the AV / AM backend 424 if the message authentication fails.

FIG. 6 illustrates a communication sequence 600 that maintains a trusted connection between the AV / AM agent 402 and the controller firmware 406. At 602, the AV / AM agent may send a heartbeat message to the controller firmware 406. The heartbeat message may be an encrypted message that includes an instruction to acknowledge receipt of the message. The AV / AM agent 402 first encrypts the heartbeat message with the secret key of the public / private key belonging to the AV / AM agent 402 and then encrypts it with the public key of the public / secret key pair belonging to the controller firmware 406 .

At 604, the controller firmware 406 may authenticate the request from the AV / AM agent 402 and process the heartbeat message. The controller firmware 406 may authenticate the request by first authenticating the message with the secret key of the controller firmware 406 and secondly with the public key of the AV / AM agent 402.

At 606, the controller firmware 406 may generate a heartbeat message as a MAC. The MAC may be computed on data initially encrypted and transmitted by the AV / AM agent 402.

At 608, the controller firmware 406 may respond with a heartbeat response and a MAC.

At 610, the AV / AM agent 402 may verify the authenticity of the heartbeat message. By actively and periodically maintaining and verifying a trusted connection between the AV / AM agent 402 and the controller firmware 406, the AV / AM agent can determine whether the heartbeat connection is interrupted by an unexplained condition You can be notified of a new existence.

Some examples of various embodiments are disclosed hereinafter.

In various embodiments, the at least one computer-readable storage medium includes a plurality of storage devices configured to allow a controller of the plurality of storage devices to receive a first instruction from a host computing device coupled to the controller in response to execution of the instruction by the controller Command. The first instruction may comprise a first address and an operand. The first instruction may be associated with a nominal antimalware protection related action, and the first address may refer to a first one or more storage locations of the storage device. The controller may also recover from the operand a second instruction that may be operated in a second one or more storage locations of the storage device. The second instruction may be substantially associated with an anti-malware protection related operation, wherein the first and second one or more storage locations differ by at least one storage device. The controller may execute a second instruction to operate at a second one or more storage locations to effect anti-malware protection related operations. The controller may receive the first instruction through a trusted connection communicatively coupling the controller and the host computing device. The controller may establish a trusted connection between the controller and the host computing device via a second channel that can couple the controller to the host computing device. The controller and the host computing device may further be coupled together via a first channel.

In another embodiment, the anti-malware protection operation may be one of a read operation and a write operation to be performed at the second one or more storage locations. During a read operation, the controller may assemble the read data from the second one or more storage locations to form assembled data, and return the assembled data to the host computing device as the read output data of the first instruction.

In another embodiment, the controller for recovering the second instruction from the operand may be configured to decode or decode the operand based on the instruction.

In another embodiment, the controller may use the secret key to decode or decode the second instruction from the operand.

In another embodiment, the instruction may include a certificate of the controller. The certificate may include a secret key.

In another embodiment, the controller of the storage device may execute a second instruction to operate in a second one or more storage locations of the storage device, while the storage device comprises an array of independent disks.

In various embodiments, the data may be stored in a striped fashion on an array of independent disks using either bit-level, byte-level, and block-level striping and using either dedicated parity or distributed parity. Data can be stored in stripes on an array of independent disks using byte-level striping and dedicated parity. The second instruction may be encrypted to prevent malware from detecting anti-malware protection related actions.

In various embodiments, the controller of the storage device may use a dual encryption layer.

In an embodiment, the method may include receiving a first instruction from a host computing device by a controller of the plurality of storage devices. The host computing device may be coupled to the controller. The first instruction may comprise a first address and an operand. The first instruction may be associated with a nominal antimalware protection related action, and the first address may refer to a first one or more storage locations of the storage device. The method may include recovering, by the controller, a second instruction to be operated at a second one or more storage locations of the storage device from the operand. The second instruction may be substantially associated with anti-malware protection related operations, and the first and second one or more storage locations may be different depending on at least one storage location. The method may include executing a second instruction by a controller to operate on a second instruction to perform an anti-malware protection related operation.

According to various embodiments, the receiving step may include receiving a first instruction through a trusted connection communicatively coupling the controller and the host computing device. The method may further comprise, by the controller, establishing a trusted connection between the controller and the host computing device over the second channel. The second channel may couple the controller to the host computing device. The controller and the host computing device may further be coupled together via a first channel. The operand may be encrypted and the step of recovering the second instruction from the operand may comprise decrypting the operand by using the secret key.

According to various embodiments, the first and second instructions may be read or write instructions. For a read command, the method comprises: assembling data read from a second one or more storage locations by a controller to form assembled data; and writing the data assembled by the controller as read out data of a first instruction To the host computing device. The storage device may comprise an array of independent disks. Data can be stored in stripes on an array of independent disks without parity, mirroring, or redundancy. Data can be stored in stripes on an array of independent disks using byte-level striping and dedicated parity.

In an embodiment, an apparatus may include a plurality of data storage devices, and at least one controller communicatively coupled to the data storage device. The at least one controller may be configured to write data to and read data from the data storage device in response to the first number of instructions. The controller may be configured to receive a first store instruction comprising a first operand and a first address corresponding to a first one or more storage locations. The controller may be configured to recover the second store instruction based on the first operand. The second store instruction may include a second address corresponding to a second one or more storage locations different from the first one or more storage locations according to the at least one storage location. The controller may be configured to execute a second store instruction to operate at a second one or more storage locations to effect anti-malware protection related operations.

In various embodiments, the controller may be configured to receive the first store instruction from the host computing device by a trusted logical connection between the controller and the host computing device over the second channel. The second channel is capable of communicatively coupling the controller and the host computing device. The controller and the host computing device may further be coupled together via a first channel.

In various embodiments, the controller may be further configured to respond to the first set of instructions over the first channel and to the second set of instructions over the second channel. The second instruction set may include fewer instructions than the first instruction set. The second channel may be an out-of-band channel. The data storage device may comprise an array of independent disks. Data can be stored in stripes on an array of independent disks using either bit-level, byte-level, and block-level striping and using either dedicated parity or distributed parity storage techniques. The controller may include a parity generator configured to support the encrypted communication by the controller.

In various embodiments, an apparatus may include a plurality of data storage devices, and at least one controller communicatively coupled to the data storage device. The at least one controller may be configured to receive a read and write command encoded with a dummy address. The at least one controller may be configured to decode the actual read and write addresses that were encrypted by the malware protection related program to the operands of the respective read and write instructions.

In various embodiments, the actual read and write addresses may be encrypted with a public key, and at least one controller may be configured to decrypt the actual read and write addresses with a secret key corresponding to the public key.

In various embodiments, the received read and write addresses may be encrypted at a dual level of encryption and at least one controller may be configured to decrypt the dual level of encryption.

The specific details of any of the above-described embodiments may be wholly or partially combined with one or more other embodiments to form a new embodiment of the disclosure in whole or in part.

Claims (28)

A computer readable storage medium comprising a computer program having a plurality of instructions for providing antimalware protection,
Wherein the plurality of instructions cause the controller of the plurality of storage devices to perform the steps of:
Wherein the first instruction comprises a first address and an operand, the first instruction is associated with a nominal antimalware protection related operation, the first instruction is associated with a first address and an operand, Refers to a first one or more storage locations of the plurality of storage devices,
The second instruction being operative to substantially operate in the second one or more storage locations of the plurality of storage devices from the operand, wherein the second instruction is substantially associated with the anti-malware protection related operation, The storage location and the second one or more storage locations differ by at least one storage location,
To perform the anti-malware protection related operation, the anti-malware protection-related operation causing the second instruction to be executed in the second one or more storage locations, Or recording operation,
For the read operation, the plurality of instructions may also cause the controller to assemble data read from the second one or more storage locations to form assembled data, 1 < / RTI > command to the host computing device,
For the write operation, the plurality of instructions may also be configured to cause the controller to store data in a striped manner within the second one or more storage locations
Computer readable storage medium.
The method according to claim 1,
Wherein the controller is capable of receiving the first instruction through a trusted connection that communicatively combines the controller and the host computing device and the plurality of instructions also cause the controller to respond to execution of the instruction,
And to establish the trusted connection between the controller and the host computing device via a secondary channel coupling the controller to the host computing device,
The controller and the host computing device may also be coupled to each other via a primary channel
Computer readable storage medium.
The method according to claim 1,
Wherein the plurality of instructions configured to cause the controller to recover the second instruction from the operand are further configured to cause the controller to decode or decode the operand based on the plurality of instructions
Computer readable storage medium.
The method of claim 3,
Wherein the plurality of instructions are configured to cause the controller to decode or decode the second instruction from the operand using a secret key
Computer readable storage medium.
5. The method of claim 4,
Wherein the plurality of commands include a certificate of the controller, and the certificate includes the secret key
Computer readable storage medium.
The method according to claim 1,
Wherein the plurality of storage devices comprise an array of independent disks
Computer readable storage medium.
The method according to claim 6,
Data is stored in an array of independent disks in a striped fashion using one of bit level, byte level, and block level striping and using either dedicated parity or distributed parity
Computer readable storage medium.
The method according to claim 1,
The second instruction is encrypted to prevent malware from detecting the anti-malware protection related operation
Computer readable storage medium.
A method for providing antimalware protection,
Receiving a first instruction from a host computing device coupled to the controller by a controller of the plurality of storage devices, the first instruction comprising a first address and an operand, the first instruction being associated with a nominal anti- Wherein the first address refers to a first one or more storage locations of the plurality of storage devices,
Recovering, by the controller, a second instruction to be operated at a second one or more storage locations of the plurality of storage devices from the operand, the second instruction being substantially associated with the anti-malware protection related operation, The first one or more storage locations and the second one or more storage locations differ by at least one storage location,
Executing, by the controller, the second instruction operating in the second one or more storage locations to perform the anti-malware protection related operation, the first instruction and the second instruction being a read instruction or a write instruction Lt; RTI ID = 0.0 >
For the read command, the method further comprises: assembling data read from the second one or more storage locations by the controller to form assembled data; and writing the assembled data by the controller To the host computing device as readout output data of the first instruction,
For the write command, the method further comprises storing data in a striped fashion on the plurality of storage devices by the controller
How to provide anti-malware protection.
10. The method of claim 9,
Wherein the receiving comprises receiving the first instruction through a trusted connection communicatively coupling the controller and the host computing device,
The method further comprises the step of forming, by the controller, the trusted connection between the controller and the host computing device via a secondary channel coupling the controller to the host computing device,
The controller and the host computing device may also be coupled to each other via a primary channel
How to provide anti-malware protection.
10. The method of claim 9,
The operand is encrypted,
Wherein recovering the second instruction from the operand comprises decrypting the operand by using a secret key
How to provide anti-malware protection.
10. The method of claim 9,
Data is stored in stripes on arrays of independent disks without parity, mirroring, or redundancy.
How to provide anti-malware protection.
10. The method of claim 9,
Data is stored in stripes on an array of independent disks using byte-level striping and dedicated parity
How to provide anti-malware protection.
A plurality of data storage devices,
And at least one controller communicatively coupled to the plurality of data storage devices and configured to write data to the plurality of data storage devices and read data from the plurality of data storage devices in response to a first plurality of instructions However,
The controller comprising:
Wherein the first store instruction comprises a first operand and a first address corresponding to a first one or more storage locations of the plurality of storage devices,
Recovering a second store instruction based on the first operand, wherein the second store instruction is different from the first one or more store locations by at least one store location, the second one or more store A second address corresponding to the location,
Executing the second store instruction operating at the second one or more storage locations to perform an anti-malware protection related operation, the anti-malware protection related operation comprising a read operation to be performed at the second one or more storage locations, Recording operation,
For the read operation, the controller is further configured to assemble data read from the second one or more storage locations to form assembled data, and to read the assembled data as readout data of the first instruction To the host computing device,
For the write operation, the controller is further configured to store data in a striped fashion within the second one or more storage locations
A device that provides anti-malware protection.
15. The method of claim 14,
The controller is configured to receive the first store instruction from the host computing device by a trusted logical connection between the controller and the host computing device over a second channel communicatively coupling the controller and the host computing device ,
The controller and the host computing device may also be coupled to each other via a first channel
A device that provides anti-malware protection.
15. The method of claim 14,
The controller is also configured to respond to the first instruction set over the first channel and to respond to the second instruction set over the second channel,
Wherein the second instruction set includes fewer instructions than the first instruction set
A device that provides anti-malware protection.
15. The method of claim 14,
The second channel is an out-of-band channel
A device that provides anti-malware protection.
15. The method of claim 14,
Wherein the plurality of data storage devices comprise an array of independent disks
A device that provides anti-malware protection.
19. The method of claim 18,
Data is stored in a striped fashion on the array of independent disks using one of bit level, byte level, and block level striping and using either dedicated parity or distributed parity storage techniques
A device that provides anti-malware protection.
15. The method of claim 14,
Wherein the controller comprises a parity generator configured to support encrypted communication by the controller
A device that provides anti-malware protection.
A plurality of data storage devices,
At least one controller communicatively coupled to the plurality of data storage devices,
The controller comprising:
Receiving a read and write command encoded with a wrong read and write address,
The actual read and write addresses that have been encrypted by the malware protection related program are decoded into the operands of the respective read and write commands,
For a read command, the controller is further configured to assemble data read from the actual read and write address to form assembled data, return the assembled data as read out data of the read command,
For a write command, the controller is further configured to store data in a striped fashion within the actual read and write addresses
A device that provides anti-malware protection.
22. The method of claim 21,
Wherein the actual read and write addresses are encrypted with a public key and the at least one controller is configured to decrypt the actual read and write addresses with a secret key corresponding to the public key
A device that provides anti-malware protection.
23. The method of claim 22,
Wherein the received read and write addresses are encrypted with a dual encryption level and the at least one controller is configured to decrypt the dual encryption level
A device that provides anti-malware protection. delete delete delete delete delete

Images